SecurityCenter API: Credential

/credential

Methods
GET

Gets the list of Credentials.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, authType, dbType, oracleAuthType, oracle_service_type, SQLServerAuthType, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, lieberman_system_name

type"ssh": authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, beyondtrust_host, beyondtrust_port, beyondtrust_api_key, beyondtrust_duration, beyondtrust_use_ssl, beyondtrust_verify_ssl, beyondtrust_use_private_key, beyondtrust_use_escalation

type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, beyondtrust_host, beyondtrust_port, beyondtrust_api_key, beyondtrust_duration, beyondtrust_use_ssl, beyondtrust_verify_ssl

Allowed Fields

*id
**name
**description
**type
creator
target
groups

typeFields
tags
createdTime
modifiedTime
canUse
canManage 

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all

Request Parameters

None

Filter Parameters

usable - The response will be an object containing an array of usable Credentials. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Credentials. By default, both usable and manageable objects are returned.

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"usable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		],
		"manageable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1408719365
}

 

POST

Adds a Credential.

Request Parameters
Expand
{
	"name" : <string>,
	"tags" : <string> DEFAULT "",
	"description" : <string> DEFAULT "",
	"type" : <string> "database" | "windows" | "snmp" | "ssh"
	...
}

type is "database"

{
	...
	"login" : <string>,	
	"sid" : <string> DEFAULT "",
	"authType" : <string> "cyberark" | "lieberman" | "password",
	"dbType" : <string> "Oracle" | "SQL Server" | "DB2" | "MySQL" | "PostgreSQL" | "Informix/DRDA",
	"port" : <string> (valid port number),

	authType "password"
	-------------------
	"password" : <string>,
	
	authType "cyberark"
	------------------
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string> "false" | "true",
	"vault_verify_ssl" : <string> "false" | "true",
	"vault_address" : <string> DEFAULT "",
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>,
	"dbType" : <string>,

	authType "lieberman"
	--------------------
	"lieberman_host" : <string> (valid IP or IP host),
	"lieberman_port" : <string> (valid port number),
	"lieberman_pam_user" : <string> DEFAULT "",
	"lieberman_pam_password" : <string> DEFAULT "",
	"lieberman_use_ssl" : <string> "false" | "true",
	"lieberman_verify_ssl" : <string> "false" | "true",
	"lieberman_system_name" : <string>,
	
	dbType "Oracle"
	---------------
	"OracleAuthType" : <string>,
	"oracle_service_type" : <string>,


	dbType "SQL Server"
	-------------------
	"SQLServerAuthType" : <string>,
}

type is "ssh"

{
	...
	"username" : <string>,
	"authType" : <string> "BeyondTrust" | "certificate" | "cyberark" | "kerberos" | "lieberman" | "password" | "publickey" | "thycotic",
	authType "BeyondTrust"
	----------------------
	"beyondtrust_host" : <string> (valid IP or IP host),
	"beyondtrust_port" : <string> (valid port number),
	"beyondtrust_api_key" : <string>,
	"beyondtrust_duration" : <string>,
	"beyondtrust_use_ssl" : <string> "no" | "yes",
	"beyondtrust_verify_ssl" : <string> "no" | "yes",
	"beyondtrust_use_private_key" : <string> "no" | "yes",
	"beyondtrust_use_escalation" : <string> "no" | "yes",
	
	authType "certificate"
	---------------
	"publicKey" : <string>,
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login",
	
	authType "cyberark"
	-------------------
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string> "false" | "true",
	"vault_verify_ssl" : <string> "false" | "true",
	"vault_address" : <string> DEFAULT "",
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>,
	"privilegeEscalation" : <string> "none" DEFAULT "none",
	
	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login",

	authType "lieberman"
	--------------------
	"lieberman_host" : <string> (valid IP or IP host),
	"lieberman_port" : <string> (valid port number),
	"lieberman_pam_user" : <string> DEFAULT "",
	"lieberman_pam_password" : <string> DEFAULT "",
	"lieberman_use_ssl" : <string> "false" | "true",
	"lieberman_verify_ssl" : <string> "false" | "true",
	
	authType "password"
	-------------------
	"password" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login",
	
	authType "publickey"
	--------------------
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login",
	
	authType "thycotic"
	--------------------
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_private_key " : <string> "no" | "yes",
	"thycotic_ssl_verify" : <string> "no" | "yes",
	"privilegeEscalation" : <string> "none" DEFAULT "none"
	
	privilegeEscalation ".k5login"
	-----------------------------
	"escalationUsername" : <string>
	
	privilegeEscalation "cisco"
	---------------------------
	"escalationPassword" : <string>
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string>,
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "pbrun"
	---------------------------
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su+sudo"
	-----------------------------
	"escalationSuUser" : <string>,
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su" | "sudo"
	---------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
}

type is "snmp"

{
	...
	"communityString" : <string>
}

type is "windows"

{
	...
	"username" : <string>,
	"authType" : <string> "BeyondTrust" | "cyberark" | "kerberos" | "lieberman" | "lm" | "ntlm" | "password" | "thycotic",

	authType "BeyondTrust"
	----------------------
	"domain" : <string> DEFAULT "",
	"beyondtrust_host" : <string> (valid IP or IP host),
	"beyondtrust_port" : <string> (valid port number),
	"beyondtrust_api_key" : <string>,
	"beyondtrust_duration" : <string>,
	"beyondtrust_use_ssl" : <string> "no" | "yes",
	"beyondtrust_verify_ssl" : <string> "no" | "yes"
	
	authType "cyberark"
	-------------------
	"domain" : <string> DEFAULT "",
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string>,
	"vault_verify_ssl" : <string>,
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>


	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>


	authType "lieberman"
	--------------------
	"lieberman_host" : <string> (valid IP or IP host),
	"lieberman_port" : <string> (valid port number),
	"lieberman_pam_user" : <string> DEFAULT "",
	"lieberman_pam_password" : <string> DEFAULT "",
	"lieberman_use_ssl" : <string> "false" | "true",
	"lieberman_verify_ssl" : <string> "false" | "true"
	
	authType "lm" | "ntlm" | "password"
	-----------------------------------
	"password" : <string>,
	"domain" : <string> DEFAULT ""
	
	authType "thycotic"
	-------------------
	"domain" : <string> DEFAULT "",
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_ssl_verify" : <string> "no" | "yes",
	"privilegeEscalation" : <string> "none" DEFAULT "none"
}
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

/credential/{id}

Methods
GET

Gets the Credential associated with {id}.

Fields Parameter
Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, dbType, oracleAuthType, oracle_service_type, SQLServerAuthType, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, lieberman_system_name
type"ssh": 
authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, beyondtrust_host, beyondtrust_port, beyondtrust_api_key, beyondtrust_duration, beyondtrust_use_ssl, beyondtrust_verify_ssl, beyondtrust_use_private_key, beyondtrust_use_escalation
type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify, lieberman_host, lieberman_port, lieberman_pam_user, lieberman_pam_password, lieberman_use_ssl, lieberman_verify_ssl, beyondtrust_host, beyondtrust_port, beyondtrust_api_key, beyondtrust_duration, beyondtrust_use_ssl, beyondtrust_verify_ssl

Allowed Fields

*id
**name
**description
**type
creator
groups

target
typeFields
tags
createdTime
modifiedTime
canUse
canManage

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all

Request Parameters

None

Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",192.168.1.14
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

PATCH

Edits the Credential associated with {id}, changing only the passed in fields.

Request Parameters

Note #1: A Credential's 'type' parameter may not be modified, but 'authType' may be modified.

Note #2: When a Credential's authType, dbType, or privilegeEscalation parameters are modified, the parameters that no longer apply will be cleared by default.

Parameters that still may apply, however, are maintained by default. Either may be passed to override default, though fields that no longer apply would give an error.

i.e. If privilegeEscalation is modified from 'su' to 'pbrun', both 'escalationPassword', and 'escalationPath' apply and will be maintained. The escalationUsername parameter no longer applies, however, and will be cleared.

Note #3: When a password field is saved, the response will be a string "SET". During PATCH, however, "SET" should not be passed back, or it will be considered to be the new password.

(All fields are optional)

See /credential::POST for parameters.

Example Response
See /credential/{id}::GET

DELETE

Deletes the Credential associated with {id}, depending on access and permissions.

Request Parameters

None

Example Response
Expand
{
	"type" : "regular",
	"response" : "",
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1408723358
}

/credential/{id}/share

Methods
POST

Shares the Credential associated with {id}, depending on access and permissions.

Note: Admin users cannot share credentials. Application credentials cannot be shared.

Request Parameters
Expand
{
	"groups" : [
		{
			"id" : <number>
		}...
	]
}
Example Response
Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000002",
		"creatorID" : "1",
		"ownerID" : "1",
		"type" : "kerberos",
		"name" : "test",
		"description" : "",
		"tags" : "",
		"createdTime" : "1407871560",
		"modifiedTime" : "1407871560",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"ip" : "192.168.1.1",
		"port" : "1",
		"protocol" : "stuff",
		"realm" : "stuff",
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1409082841
}

/credential/tag

Methods
GET

Gets the full list of unique Credential tags

Note: Organization user responses will contain both organization and admin policy tags. Admin user responses will contain only admin policy tags.

Request Parameters

none

Example Response
Expand
{
	"type" : "regular",
	"response" : [
		"Tag1",
		"Tag2",
		"Tag3"
	],
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1461093219
}